April 12, 2006

As we mentioned yesterday, Microsoft bundled an ActiveX function change related to the Eolas patent suit with the Internet Explorer security fixes for this month’s “Patch Tuesday.” That’s producing some complaints as Gregg Keizer reports at TechWeb:

By packaging a functionality change for Internet Explorer with a needed security update, Microsoft has alienated some IT pros, security vendors complained Wednesday.
…
“Microsoft often bundles non-security-related code in security updates,” said Mike Murray, director of research at vulnerability management vendor nCircle. “Little optimizations and that kind of thing. But I don’t remember them ever bundling a functionality update or, as in this case, removing functionality, with a security bulletin.”

The inclusion of the ActiveX changes “makes everything a mess” for companies deploying and testing Microsoft’s monthly patches, Murray said. “I’ve talked to some of our customers, and they’re at the point where they’re pulling out their hair.

Instead, Microsoft should have separated the IE ActiveX changes from the security fixes. “They easily could have deployed it as a separate patch or rolled it into a service pack,” said Murray.

It’s a particular problem because the security “megapatch” for Internet Explorer resolved a number of critical vulnerabilities:

The large number of vulnerabilities covered by the bulletin precludes any finesse in mitigating against attack, Symantec concluded, and instead recommended that one option for companies unable to install the fixes is to “disable Internet Explorer until patches can be rolled out.” Other advice included setting the browser’s security settings to “High” and/or restricting browsing to corporate intranet and other trusted sites.

Symantec and other security companies raised the alert in part because 3 of the 7 critical flaws described in the bulletin are either currently being exploited or have been the target of published proof-of-concept code.

There is a separate “compatibility patch” that undoes the ActiveX function change, but the patch-counterpatch scenario apparently doesn’t have folks jumping for joy.